Jump to content

Imgur is being used to create a botnet and DDOS to 4chan and 8chan


Perks
 Share

Recommended Posts

TLDR: basicamente existem imagens alojadas no imgur que correm código em background 

Here is the thread where it was first discovered

https://www.reddit.com/r/4chan/comments/3lutoo/imgur_is_doing_fishy_things_with_4chan_screencaps/

This is the image OP posted explaining what he found

http://puu.sh/kjvLI/f57b37ccc0.png

When an Imgur image is loaded from /r/4chan, imgur loads a bunch of images from 4chan's content delivery network or 8chan (unclear at this point, might be both), which causes a DDoS to those sites.

See this picture: https://www.reddit.com/r/4chan/comments/3lutoo/imgur_is_doing_fishy_things_with_4chan_screencaps/cv9j7n0

You should only see one image loaded in that list, not all of those.

(This what a normal Imgur image looks like when it is loaded https://imgur.com/Hd6QEkl. See that only the one image is loaded, not 500 random ones. The injected.js is just a chrome extension.)

Basically, clicking on a Imgur link on /r/4chan ends up opening ~500 links from 4chan.org/8chan.

Looks like imgur is addressing the issue. https://twitter.com/imgur/status/646109824342593536

f57b37ccc0.png

 

hacker manages to inject JavaScript code into imgur. source: https://archive.is/JaJmO

JS loads a flash swf. decompiled swf shows this AS3 code: http://pastebin.com/ytfKq2Mw

swf injects saves javascript into localstorage. injected code here: http://pastebin.com/XUssBG5z

Javascript injects more javascript into the page and evals it. src: http://pastebin.com/myxtBWjh

Javascript loads something remotely with the url "'https://8chan.pw/ a_this.uaf" but uaf is a secret that is calculated somehow. Would have to examine (or just run) the code to figure out what the url is.

uaf file is being decrypted as of now

it returned nothing useful

edit: it actually did return a space when refered to 4chan.org. maybe some other url will return something useful?

this is what needs to be researched (for any of you javascript and web nerds)

links:

Guesses include client-side involuntary DDoS on both/either 8chan and 4chan

 

 

Para quem usa o imgur, vejam a parte a vermelho e os edits

 

This isn't a DDOS. It's targeting 8chan users and leaving javascript code in their local storage that causes their browsers ping back to a command and control server each time they hit an 8chan page. Thus far the C&C server hasn't sent out any commands (or stopped issuing commands before this was discovered). Over the evening whoever authored this has been updating and changing their code. It only effects very specific imgur images/pages. Why is not yet known.

Things to take away:

  • If you visit imgur and 8chan you may very well have a big issueClear your localstorage (go to 8chan, open your browsers console, type localstorage and see what's there - then type localstorage = [] and hit enter) as well as all browser private information (cookies, passwords, offline storage, etc). See edit #4 for a better way to ensure you're safe. Don't go to 8chan before clearing all local storage.

  • Imgur is compromised. This is the big one and should be very worrisome to anyone on this site. There are three possibilities:

1.) There is an exploit in how imgur processes images that allows someone uploading an image to get code injected into the page when someone else loads the image from imgur

2.) Imgur has one or more servers that are compromised

3.) Imgur has a rogue employee injecting malicious code.

In all cases, this is really, really bad. It's very unlikely that a 0day exploit on a site as big as imgur is just being used to go after 8chan (unless it's case 3. and someone has a grudge). This allows whoever knows how to take advantage of the exploit to launch an XSS attack against anyone who visits a malicious page on imgur. And there's no way to tell before visiting the page. Not all pages on imgur are compromised and right now it appears to be a very small number of images that had malicious payloads sitting on their page.

How the attack appears to have worked:

1.) Malicious javascript got onto imgur's server somehow (via one of the three routes outlined above)

2.) This js created iframes and embedded a flash file hosted on 8chan. The iframe was off screen so a user would not notice. Since imgur typically uses flash for parts of its functionality flash asking to run on imgur wouldn't be seen as suspicious.

3.) This flash file injected more javascript into the page (while on the surface looking like an innocuous pikachu animation). This javascript was stored to the user's localstorage (which, since the iframe was pointing at 8chan, allowed the attacker to attach js to 8chan's localstorage). It's functionality is to issue a GET request to 8chan.pw (not an 8chan server AFAIK) and then decrypted the response. So far no one has been able to see a response from that web service, meaning it likely wasn't activated yet or has already been deactivated. The outcome is that every time a user visited an 8chan page, it would "phone home" to check for instructions and then execute more javascript code.

I would stress that everyone should disable flash and javascript on imgur for the time being. This attack may not be the only use of this exploit and a lot of very, very bad things could be done through XSS if more people are exploiting this. You should treat the entire site as potentially compromised until imgur addresses this and explains what happened.

Edit: The original thread has been deleted. What the hell. (In fairness this could have been done by the original poster or the mods "for the lulz" since it was in /r/4chan after all).

Edit2: And now it's back

Edit3: localStorage.clear() is all around a better idea

Edit4: More help to clear local storage

Fonte

Link to comment
Share on other sites

Parece ser um gajo frustrado, deve se ter chateado com algum admin do 8chan e decidiu vingar-se usando o imgur como arma, e como o pessoal do 8chan é a velha guarda do 4chan levam os dois por causa das tosses. Nao parece ser muito perigoso para o utilizador mas o boss do imgur deve andar de espada na mao a ver quem vai perder a cabeca.

Link to comment
Share on other sites

não em principio não será demasiado, uma vez que js não deve correr noutro site que não aquele, a menos que arranjem forma de te levar a um spoof dum site tipo paypal pelo meu entendimento

se chegaram aqui através do imgur, certamente poderiam fazer mais, ou até xss para muitos servers que usam o script do imgur para embeds

btw já desactivamos no fnf

muitos subs do reddit já desactivaram imgur posts também

 

anyway

reparem nas similaridades

http://www.wired.com/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/

 

Link to comment
Share on other sites

O malwarebytes continua a bloquear o imgur, apesar de estar resolvido só é seguro depois de limparem a cache, já agora mais info sobre o que aquilo pode fazer

https://www.reddit.com/r/KotakuInAction/comments/3lybrf/happenings_imgur_has_closed_the_security_hole/

Num post no blog do malwarebytes linkaram directamente este

https://blog.malwarebytes.org/hacking-2/2015/09/imgur-abused-in-ddos-attack-against-4chan/

Não se esqueçam vejam o bold e underlined 

 

  1. Thanks to a security hole in imgur involving MIME magic, the hacker can inject JS. (Basically, thanks to imgur's code that lets you link to GIF's as PNG's, your browser renders an invisible HTML file containing your image and some invisible JS without telling you)

  2. The JS loads an iframe from 8chan, acting as part of a ddos. The iframe contains a Flash file. Flash can create and modify local storage for 8Chan, even if you've never visited it. It then flags the rest of the malicious file as a "favorite". (Because the hacker was a chan lurker, the file also contained easter eggs like dancing pokémon and a private key containing the string imsorrybrennan)

  3. The JS then causes your browser to ping 8Chan. 8Chan loads the content of your "favorites" on the page, no sanitization at all.

  4. This lets a div containing a script tag finish executing the JS.

  5. The JS then pings 8ch.pw, the hacker's domain, (not 8Chan) which can serve it any JS payload it wants.

  6. The JS then lies dormant in your local storage until it receives a go code, or a self destruct code that causes it to be replaced with another payload from 8ch.pw.

6A. The sheer amount of traffic this generated for 8Chan's servers also acts as a DDoS, just as a bonus!

It goes without saying that you NEED to clear your local storage if you've been on imgur. Open your browser console (while on imgur, thanks, /u/powerpiglet!) and enter localStorage.clear(). (EDIT: this may not work for some reason, see /u/lucben999's comment for a fix.) Since imgur is safe now, you should be OK. Until you do, attackers could be using your computer to:

  • Transmit your passwords to attackers

  • Become a piece of a giant DDoS

  • Constantly load ads that pay attackers

  • Request edgelord-tier child pornography from a honeypot without your knowledge

If you have any questions about the specifics of the attack, please ask me! I love netsec and this breach is like a great white whale.

Isto é válido quer lá tenham estado que tenham passado por uma imagem de lá

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.